Linux TCP flaw lets ‘anyone’ hijack Internet traffic

What began as an attempt to secure TCP/IP in Linux resulted in an enabling an attack vector that can be used to break, or even hijack, Internet connections between Linux and Android systems.

cyber-security-locks image

Some days you can’t win for losing. In 2012, Linux implemented a new TCP/IP networking standard, RFC 5961, Improving TCP’s Robustness to Blind In-Window Attacks, to improve security. In the process, they opened up a heretofore unknown security hole. Ironically, other operating systems that lagged in implementing this new “security” mechanism — such as FreeBSD, macOS, and Windows — are immune to this new attack vector.

The latest network attack can be used against any Linux to Linux Internet connection.

This is potentially a big deal because it can be used to break, or even hijack, Internet connections between Linux and Android systems. So, for example, if an Android smartphone connected to USA Today, the connection could be interrupted. The same attack, however, would fail if it were made on a link between a Windows PC and USA Today.

The problem exists in any operating system running Linux kernel 3.6 or newer. Linux 3.6 was introduced in 2012. The vulnerability allows an attacker from anywhere on the Internet to search for connections between a client and a server. Once such a network connection is found, the attacker can invade it, cause connection termination, and perform data injection attacks.

How bad is it? The discoverers say that the attack is fast and reliable, takes less than a minute, and works about 90 percent of the time.

According to University of California at Riverside (UCR) researchers, the Linux TCP/IP security hole can be used by attackers in a variety of ways: Hackers can hijack users’ internet communications remotely, launch targeted attacks that track users’ online activity, forcibly terminate a communication, hijack a conversation between hosts, or degrade the privacy guarantee of anonymity networks such as Tor.

“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out,” said Zhiyun Qian, an UCR assistant professor of computer science. “Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses for victim client and server, which is fairly easy to obtain.”

Adding insult to injury, Qian added, “unlike conventional cyber attacks, users could become victims without doing anything wrong, such as downloading malware or clicking on a link in a phishing email.”

Worse still, the attack vector can be used even against secure connections. While this doesn’t give an attacker the ability to read the encrypted data, it can be used to break a connection or to track who is talking to whom. Against Tor and other anonymizers, an attacker could reset a network connection to force a connection to route through an already hacked relay.


Henry Sapiecha

Leave a Reply

Your email address will not be published. Required fields are marked *